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(Rev. 01*31-20()3) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence ROUTINE 
To:- Cyber Division 


From:- San Francisco 

Squad CY"2/San Uose 

Contact:- SA 


Date^ 10/08/2009 
ATT N:- Computer Intrusion' U nit #2 

SSAI I 


Approved By :- 
Drafted By: 


TP€ 


Case ID #:- 288A-srTl«# (Pending) ^ ' 
288A-SF-NEW-GJ (Rending) 


Title:- ANTT-SEC; 

UNSUB(S), et al; 

-IMAGESHACK VICTIM; 

COMRUTER INTRUSTON 

Synopsis:- To Open Case and SJjbfiles. 

Details:- On October 8, 20 ^, Special Agent _ wet 

with employees of IMAGEShAck located at 23y6 North Santa CrUz 
A venue^ Los Gatos. 'Cali^fornia._95030, to fiiscUss two recenr 
computer intrusions of IMAGESHACK servers. IMAGESHACK is a 
company which provides internet image hosting. 

IMAGESHACK advised SA l I that the first computer 
intrusion occurred on July 10/ 2009 at approximately 7 pm Raci.fic 
Standard Time (RST). A group by the name of ANTT-SEC gained 
access to one of the company database servers. The server th e 
hacker(s) accessed contained | I 




The hacker(s) were also 


_I In addition, the hacker(s) posted a message on the 

internet which claims the ANTI-SEC is a movement dedicated to the 
eradication of fuli disclosure. Their message further explained 
they plan to achieve this "through the full and unrelenting/ 
unmerciful elimination of all supporters of full-disclosure and 
the security industry in its present form." 


0 ^ 




10 | 0 ^ 










To:- 

Re:- 


i' 


San Trancisc 
288A-SF-NEW, 




From:- San 
10/08/2009 


Francisco 



IMAGESHACK advised this computer intrusion affected 
approximately SO million images and every user that was on their 
site at the time viewing -images. IMAGESHACK -is still not sure 
how the hacker got into their database but believe 
I I Aft-ftr f.his att.af.k. t-.hev went through tneir 


servers! 


On August 2 , 2009, IMAGESHACK believes the same 
hacker(s) came back and gained access to their servers again. 
IMAGESHAC K has full and complete logs. It Is apparent the 
hacker(s)I I 


IMAGESHACK believes in the first com 
Julv 2009. the hacker(s) accessed one database 

puter intrusion in 



1 IlMAGESHACK believes the hacker(s)l \ 



IMAGESHACK estimates their losses at approximately 



$26,000. 


b6 

b7C 

b7E 


b6 

b7C 

b7E 


b6 

b7C 

b7E 


It is requested that the following subfiles be opened:- 


Grand Jury 


SUB GJ 


It is requested that the new cas^ and subfiles be 
opened and assigned to SA 


b6 

b7C 


♦♦ 


2 









10/21/09 

12:08:07 



Title and Character of Case: 
MTI SEC 


'FD-192 


ICMIPROl 
Page a 


Date Property Acquired:- 
10/08/2009 


Source from whi ch Property Acqui red:- 
IMAGBSHACK, C/O l ~l 263 N. SANTA CRUZ 

26'3 N SANTA CRUZ AVS #100 
LOS GATOS CA 95030 


b6 

b7C 


Anticipated Disposition:- Acquired Bv:- Case Agent; 


Description of Property:- Date Entered 

.IB 1 

SIX (6) hard drives :- 

-THREE (3) western DIGITAL S/N WMAP41239964,S/N WMAKHi25207l 
AND S/N WMAKE215'3028 

-TWO(2) HITACHI S/N CKC4U'9SE, S/N CKC5H4ME 
-ONB(l) SAMSUNG S/N S09QJ1UL218644 
ONB(l) HITACHI 

Barcode:- E4189643 Location;- SJECR PRESS3 10/09/2009 




Case Number:- 288A-SF-145486 
Owning Office:- SAN FRANCISCO 









08/19/10 

19:29:55 




# 


FD-192 


Title and Character of Case; 
ANTI SEC 


Date Property Acquired;- Source from which Property Acquired: 

SV-RCFL 

08/19/2010 


Anticipated Disposition 


Description of Property ;■ 
IB 2 




Case Aqent 



ONEd) CD labeled SV-09-0162 (DERIVATIVE EVIDENCE OF IBl) 


Barcode:- E4189947 


Location:- SJECR 


PRESS3 


^ '(^XSIMjACL^ [f\ ^ I p9 • <xf-r 


ICMIPROI 
Page 1 


Case Number:- 288A-SF-145486 
Owning Office;- SAN FRANCISCO 



Date Entered 


08/19/2010 




^ Ilh.Z 
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FD.302(Rev. l(M-95) 



-l- 

FEDERAL BUREAU OF INVESTIGATION 


Date of traoscfiptioo TQ/09/20Q9 


On October 8, 2009,|_I was interviewed at 

his place of employment, -IMAGESHACK, located at '236 North San Cruz 
Avenue, Suite 100, Los Gatos, California, 95030, telephone number 
408-836-8579. After_hainA advised of the identity of the 


Interviewing agent 




provided the following information;- 


On July 10, 2009 at approximately 7:00 p.ra., IMAGESHACK 
servers were hacked. The hacker(s) we re able to get into the _ 


database server. 
passwords wereF" 


This server conta ins 

iL 




I Indicated the user 
] This sever also contained 


I indicated IMAGESHACK does not collect or mainta in any credit 
card in format-ion | I However. 

<;t:at:ed the hacker (would have had I | 


nacKer(s) 
hacker(s) 


would have had |_ 

ladvised that from that server, the 

I Ultimately, the 


b6 

b7C 

b7E 


I 


Jadvised this affected every 


oh VidWihg images and approximately 50 million images. 

He indicated IMAGESHACK user images we re repla ced with this 
propaganda message for several hours. I I said this caused 

quite a stir on the i^nternet ^ as it affected many website 


backgrounds as well. 


advised a group named ANTI-SEC claimed 


responsibility for the hack of IMAGESHACK on the internet. 


] said th e technical team at IMAGESHACK be lieved the 


hack was a result of an |_] He . 

advifif^d t-hat-. Aft-f^r hack, t-.hfi f.p»chnical at IMAGESHACK I 


back. He 
hacker (s) 


On August 2, 2009, 
advised the staff at IMAG 
because the 


indicated the hacker(s) came 
:SHACK believes it was the same 


hackerw ereT 
was able tol 


] 


dvised that at the time 


it appeared the 
\ The technical team 


b6 

b7C 

b7E 


investigatk®on 09/08/2009 Los Gatos, California 
Fite # 288A-SF-145486":^ 
by 


D«e NA 


SA 


b6 

b7C 




Thh cCtfvtuins ticithcf rc^omxncihS^rtions nctf ccaJCluSiOQS of the FBI It i$ the prof^rty of the FBI and loaned to youf agency; 

it aj^ iu contents are tiot to l?e di$trit>i^ed your agency. 
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FD-3C^(Rev. 10-6-95) 




288A-SF-145.486- 



$26,450. 


He stated the estimated company losses are approximately 


_I provided one Computer Disk (CD) labeled IMAGESHACK 

ANTISEC which he did not want returned that contained copies of an 
overview of the hac k's, the ANTI -SEC jpg image posted to the 
servers/ email irom [~ -regarding the identity of the 

hacker(s), and chat logs from IMAGESHACK staff during the August 2, 


2009 attack. 


I_ I provided six. hard drives to S.A|_| and 

signed an FD-.941 Consent to .Search Computer(s) form for these six 

hard drives. |_ _ _|was also provided and signed an FD- 

597 United States Department of Justice, Federal Bureau of 
Investigation, Receipt For Property Received. The. fd-94l and FD-' 
597 and CD have been placed in a lA-envelope and'sent to the .file. 
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(Rcv.050J-200$) 

(S) 


CLmSSIIIlB BY 
RimSON: 1.4 (c> 
mchmssxwi OM: 0»-2:»-2fl3« 
BliTl: 


s 




mil H^DEBmfXQN COMTIlIlfflll 
miiiM IS infillssxFiEB Emmwfl 
raHERE smmi otheemise 

bl 

b3 


FEDERAL BUREAU OF INVESTIGATION 


(S) 


(U) 

(U) 


Precedence: ROUTINE 
To: San Francisco 


Date: 11/03/2009 


Attn: SA 
SA 


:y-2 

, CY-3 


From: San Francisco 

Oakland RA 
Contact: 


1-2 and CY-3 


Approved By: 
Drafted By: 


Case ID #: I .I 

(U) 288J-SF-141890 (Pending) 

(U) ^88A-SF-145486 ^3 


b6 

b7C 


bl 

b3 


Title:- 


DEATH IS COMING -FROM THE EAST; 
UNSUB(S); 

Cl/Cl - TNII 


WORLD DEFACERS, 
UNSUB(S); 

CT - TNII 
00;SF 


(U) 



(U) 


Synopsis: 
Anti-Sec. 


Anti-Sec 
UNSUB(S); 

IMAGESHACK - VICTIM 

Identification of possible founding member of 


Di?rved-^irea^ ^ FBI ^ glgGG*^OOSOEl5 
Dedaseify'Onl 20341103“ -- 


fS) 

(U) 

(S) 

IS] 


Reference: 



;;^gi:'288A-SF-145486 Serial 1 




bl 

b3 
















bl 

b3 


(S) 


(U) Open searches provide n o information that 

Anti-Sec hacked 



San Francisco divisioni I 

I A nacKing group 

named Anti-Sec gaine d access to one of the company's databa se 
servers and accessed I I 

L The hackers 

changed the server settings to redirect every image to a 
hacker logo. The hackers posted a message claiming that the 
Anti-Sec group is dedicated to the eradication of full 
disclosure by eliminating the cyber security industry. 
(288A-SF-145486, Serial : 1) 


b7E 


b6 

b7C 

b7E 


(U) Anti'Sec claimed that a 


1 |. An identified 1 1 

1 

further stated that Anti-sec raoricatea 


the claim of l I 


White-Hat Hacker and Cyber Security Communities. Open source 
research r evealed that several large web hosting companies 
considered I _ I 

(800A-HQ-C1591622-NOADMIN, Serial : 20010). 


b7E 


gT//PnTTn^_ ar>f-iHg H-i gmiciged in 


b7E 


(800A-HQ-C1591622-NOADMIN, Serial 20010) 


(S) 


S^)S^//NOFORn| 


bl 

b3 


2 
























ET//N0F0RN/ 


r 


To:- 

Re: 


fian P-ranr-Haort_Pr-rtm_ffan Prannifinn 


LEAO(s} : 

Set Lead 1: (Info) 

SAN FRANCISCO 

AT SAN JOSE 
(U) Read and Clear. 


♦♦ 


S^0^^^/NOF^N>| 









UNCLASSIFIED 

FEDERAL BUR^U OF INVESTIGATION 


^Precedence:; ROUTINE ' Date:: 11/10/200$ 

■To:- San Francisco 


b6 

b7C 


Title:- ANTI-SEC; 

UNSOB(S); 

iMAGESHACK --‘VICTIM; 
COMPUTER iNTRUSIOli 


From:- San .Francisco 

Squad CY2/Sa 

Contact: SA 




Jose RA 


Approved By: 
Drafted By: 


Case ID #:- 288A-SF-145486 (Pending 




Synopsis:- To Report US-Attorney Office concurrence for new case 
opening. 




.Details:: On October -9, 2009, Special Agent (sA) 
emailed Chief Assistant United State s Attorney .(AUSA ) ifor the 
Computer Intrusion and Hacking Unit,. r I regarding 

concurrence for new baptioned investig ation. The email contained 


a summary of ‘the case information. SA|_] was contacted 

telephonically and granted concurre nce regarding captioned 
investigation and advised that ^AUSA | |wouid be 

assigned the case. 


Attached and: made a part of this document is the email 
to AUSA I I 



UNCLASSIFIED 




b6 

b7C 






UNCLASSIFIED 


t 

FD-542(Rev,<»3-23*2CK») 




FEDERAL BUREAU OF INVESTIGATION 


’Precedence:- ROUTINE Date:- 11/13/2009 

To:- San Francisco 

From:- San Francisco 

Squad dY2/Sa 
Contact:- SA 

Approved By :- 

Drafted By:- 

Case ID #:■ 288A-SF-14,5486: (Pendi.ng>^^ ^ 

Title: ANTI-SEC; 

UNSUB(S), et al; 

■IMAGESHACK - VICTIM; 

COMROTER INTRUSTON 


b6 

b7C 



Synopsis:- To Claim Statistics. 


Details:- On September 16, 2009, Special Agent (SA)I _ 

telephonically spoke to the victim company, Imageshack, 
.regarding captioned matter and set a date to meet in person. 


On October 8, 2009, SA 


met with 


Imageshack and obtained the detailed ibiformation about the 
captioned computer intrusions. ,Possible subject(s) have been 
Identified. 


b6 

b7C 

b7E 



UNCLASSIFIED 







UNCLASSIFIED 




To: San Francisco From:- San Francisco 
Re:- 288A-SF-14S486V ll/.l'3/2009 


Accomplishment Information :- 

Number:- 2 

Type:- CIP 2703(f) ORDER SERVED 
ITU:- CIP 

ITU:- :LIAIS0N WITH OTHER AGENCY 

Claimed By:-|- 1 

SSN:- 

Name:- _ 

Squad CY2 


Number:- 2 

Type^ CIP SUBJECT IDENTIFIED 
ITU:- CIP 

ITU:- LIAISON WITH OTHER AGENCY 

Claimed Byt_, 

SSN:- 

Name :■ |_ 

Squad:- CY2 


b6 

b7C 


Number:- 2 

Type^ CIP VICTIM CONTACTED/INTERVIEWED 
ITU:- AGENT INTERVIEW 
-ITU:- CIP 

ITU:- INDIVI DUAL/NON- INFORMANT 
ITU:- .LIAISON WITH OTHER AGENCY 

Claimed By:-,-, 

SSN:- 

Name: _ 

Squad :-^ CY2 


♦♦ 


UNCLASSIFIED 


2 









aforementioned facsimile had been attached and is .made: a part of 
this, document.; 



ThH documcftt ooxrtiifis neither recommerhi^tioos nor e^clvsioo$ of the FBI. It is the pre^rty of the FBI *a4 is I<««e4 to yow agency; 
at an4 its contents are not to be distributed ov^idc yw ^ency, 
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li: 

FEDERAL BUREAU OF INVESTIGATION 


Date ef transcription 03/02/2010 

On January 23, 2010, Special Agent fSA)I I 

rrar;<a-i vipH a y^Qrvoncta a_fa^<;Snr>S t-r» a I I 



The above referenced letter had been attached and Is made 
a part of this document. 


Investigation on 01/23/2010 at Campbell, California_(via facsimile) 


File # 288A--SF-14548e - \h- 

sa| ~| 


_ D«tc dictated 

b6 

b7C _ 


NA 





This docttrttcftt toftttitts neither rccorrrnicridjftiorts not conclusions of the FBI. is the pfc^ity of the FBI *n4 is k«tned to ywr t|cocy; 
it «n4 Us contents sre not to he disuihuted outside your agency, 







FD-542(Rev,03-23-20(») 


UNCLASSIFIED< 

FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date:- OX/1472010 

To:- San Francisco 


;Frora:- San Francisco 

Squad. CT2 / S an_jlQS£-BA_ 
Contact: SA 


Approved By: 
Drafted' By: 


Case ID #:- 288A-SF-145486- (Pending^xj^ 


b6 

b7C 


-Title:- ANTI-SEC; 

■ UNSUB(S), et al; 
JMAGESHACK - VICTIM; 
COMPUTER -iNTRUSTbN 


Synopsis:- To Claim Statistics. 

Details:- On January 12. 2010. Special Agent (SA) I I 


On October 8, 2009, Imageshack provided SA | 1 Vith six 

’hard drives and conseht 'to search those hard drives. 


UNCLASSIFIED 






UNCLASSIFIED 






To:- San Francisco From:- San Francisco 
•Re:; 288A-SF-145486,. 01/14/2010 


Accomplishment Information :- 


Number:- 1 

Type:- CIR 2703(f) ORDER SERVED 
ITU:- CIP 

TTU:- LIATSON WITH, OTHER AGENCY 

Claimed Byi_ 

SSN:' 

Name :• |_ 

Squad:- CY2 


Number:- ‘8 

Type:- -CIP VICTIM CONTACTED/INTERVTEWED 
ITU:- consensual SEARCH 


Claimed By:- 
SSN :-■ 
Name :- 
SqUad::' 


■CY2" 


b6 

b7C 




UNCLASSIFIED 


2 






FD-3C!2(Rev. 10-«-95) 



iL‘ 

FEDERAL BUREAU OF INVESTIGATION 


Pale of transcription 04 /27/2012 


returned 


2012. Specia l Agent 

_I at his place of employment 


Oh April 27. 
six hard, drives to l 

IMAGESHACK, 236 Santa Cruz Avenue^ Los Gatos, California, 95030. 
copy of the signed FD-597 United States Department of Justice 
Federal'bureau of Investigation Receipt :for Property 
Received/Returned/Released/Seized had been placed in a lA envelop 
and sent to the file. 


A 


Investigation on 4/27/2012_at 


File# 288A-SF-145486 



Los Gatos, California 


Daitc 4ia«c4 


:NA 


b6 

b7C 


This ^ocunacDit tonttm odthet rcconMncn4atioas c<?ncIusiotts ot the FBI Dt is the pre^rty of the FBI stn4 is loaned to yout agency; 
it and its contents are not to he distributed outside yew agency. 


b6 

b7C 








UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 04/27/2012 

To: San Francisco 


From: San Francisco 

Squad CY2/Sai^ Jose RA 
Contact: SA 


Approved By: 
Drafted By: 




Case ID #: 288A-SF-145486 (Closed) 




b6 

b7C 


Title: ANTI-SEC; 

UNSUB(S), et al; 
IMAGESHACK - VICTIM 
COMPUTER INTRUSION 


Synopsis: To Close Captioned Case. 

Details: Assistant United States Attorney (AUSA) 


(SA) 


Special Agent 
investigation_and, its status on numerous occasions 


and 

^ ■ 
have discussed captioned 

On March 16, 


2012, AUSAI 
be closed. 


SA 


1 inq uired via email if captioned investigation could 


lOU 

ai 


advised that since there are no good subject 


internet protocol (IP) addresses and no good follow-up leads or 
information from current sources, captioned investigation should be 
closed. 


The evidence obtained in this investigation did not derive 
enough probable cause to resUlt in the identifi cation of a sxibject for 
a prosecuteable offense. On April 18, 2012, SA | y| received a 
Tetter from the United States Attorney's Office stating that their 
office has closed the investigation. The abovementioned letter has 
been attached and is made a part of this document. 


On April 27, 2012, SA 


returned the hard drives 


provided by Imageshack as evidence in captioned case back to the 
victim company. 


It is recommended that captioned case be closed and that tl^ 
evidence collected on captioned case be destroyed and/or returned 

UNCLASSIFIED 


I 











V 


• . • 

UNCLASSIFIED 

■To:- Sain Fraincisco From:- San Francisco 
Re: 288A-SF-i45486, 04/27/2012 


pursuant tO’ FBI policy. There: are no pending leads dr further 
investigatidri. required: dn captioned case.: 


♦♦ 


UNCLASSIFIED 


2. 






U.S. Departm^l^f Justice 

lUnited States Attorney 
Northern District of California 


Special Agent 

ISO Almaden Boulevard, Suite 900 
San Jose; California' 9SIJS 

April 18,2012 

DD: (408) S35-5061 
FAX:(408) $35^5066 

Federal Bureau of Investigation 

1919 S. Bascom Avenue, Suite 400 


b6 

b7C 

Campbell, CA 95008 




RE: ImaseShack Intrusion 


Dear Special‘Agent 


This letter.is to confirm that my office has closed the investigation into the ImageShack 
•intrusion by a group known as Anti-Sec. Based on our conversations, you have conducted an 
exhaustive investigation and have been unable to identify the individual responsible for the 
intrusion. If you find new evidence, please resubriiit the case for prosecution. 

I appreciate all of your wo rk on the case. Ple ase do hot hesitate to contact me if you have 
any questions. l ean be reached aJ 


VeryJruly yours, 

MEIilNDAHAAG 
United States Attorney 


Assistant United States Attorney 



I 






